Configuring Mountain Lion's Users & Groups

Throughout these Mac 101 lessons I've made references to your --user folder, your account, and Administrators. And it's possible that you've taken it on faith that I'll explain what these things are and how they fit into all that is the Mac OS. Now is that time.

Email this to a friend

Characters remaining:

What is A + B?

Throughout these Mac 101 lessons I've made references to your --user folder, your account, and Administrators. And it's possible that you've taken it on faith that I'll explain what these things are and how they fit into all that is the Mac OS. Now is that time.

Mountain Lion, as was every other version of OS X before it, is a multiuser operating system. Think of it this way: You have a house and within it there are rooms for you, your mate, your daughter, and your son. Each room is arranged and decorated by the person who inhabits it. All your stuff is in your room and when you close the door, the other people living in that house have no idea what you're doing with your stuff.

Now replace "house" with "Mac OS" and "room" with "user" and you've got the idea. You can have multiple user accounts on a single Mac, and each user has access to the applications on that Mac as well as their stuff--documents, movies, music, and so on.

About user accounts

But like a family living in a house, in this multiuser operating system some users have more power (or privileges) than others. Mom gets to tell Sis when to go to bed. Sis tells little Biffy that he's a gross little pig. And Dad gets to sit on the couch and spend his leisure time watching men bashing into one another and courting concussions. Let's walk through the different kinds of users that can inhabit your Mac along with the powers they possess.

Start by launching System Preferences and selecting Users & Groups from the System area. On the left side of the resulting window, you'll see a User pane that lists any users currently configured on the Mac. By default you'll see two--your user account, which will appear under the Current User heading, and Guest User, which appears below Other Users. By default, the word Admin will appear under your username. Let's talk about that.

There are five different types of user accounts available to you--Administrator, Standard, Managed with Parental Controls, Sharing Only, and Group. They break out this way:

Administrator: An Administrator user has the most control of all the default user accounts. This user can create other user accounts (as well as modify and delete them), install new software that everyone on the computer can use, and unlock locked items (such as certain system preferences) so that they can be edited (or in the case of locked files, deleted). By default, when you first create an account on a new Mac, you create an Administrator account.

Standard: Standard users can install software only for their own account and modify user settings that apply only to their account (the desktop pattern, for example). These users can't add or modify other user accounts.

Managed with Parental Controls: This is an account created by an Administrator that's limited for the protection of the intended user (largely created for a young child who you don't want visiting unsavory websites or communicating with strangers). I'll devote a future column to Parental Controls.

Sharing Only: This account is intended solely for those who want to log into your Mac from another computer. Once they do, they have access only to your shared folders and shared screen. (See Exploring the Mac's Sharing Features.) You can't log into a Sharing Only account from the Mac that bears it.

Group: This is another kinda/sorta account that's a bit like a Sharing Only account. The difference is that the people you allow to access shared items on your Mac must have user accounts on that Mac. I'll explain this in greater detail shortly.

Guest User: This account doesn't appear in the New Account pop-up menu because it's installed on your Mac by default. It's an account that can't be deleted. This account is created with this kind of situation in mind:

A friend has come over and she'd very much like to use Safari to check her email. You don't want her nosing around in one of your accounts so you tell her to click the Guest User account on the login screen. She does so and is presented with the standard Mac interface. She can then launch Safari, travel to wherever it is she views her webmail, and then log out. Any files she's created will be automatically deleted as soon as she logs out. That way, when the next "guest" logs in, they will see no traces of your friend's activities.

Creating a user account

Creating a new user account isn't difficult, but you must be using an Administrator account to do it. (Again, this is one of the perks of being an Administrator.) It goes like this:

With the Users & Groups system preference open, click the lock icon in the bottom-left corner of the window. Enter your Administrator's username and password and click the Unlock button.

Click the plus (+) button at the bottom of the user list and a sheet appears. In that sheet is a New Account pop-up menu where you can choose the kind of account you wish to create. For now, let's choose Standard.

Enter the full name of the person whose account you're creating--Snidely Whiplash, for example. Click in the Account Name field and your Mac will create an account name for you--snidelywhiplash, in this case. You can change that name if you like. Then enter and verify a password for that user. (Don't use the same password you use for another account, including your own.) Enter a password hint if you like (Hans Conried) and click Create User. That account will now appear in the user list.

With that account created you see that you have a few options. You can, for example, change the picture associated with the account by clicking the current picture and choosing a new icon, selecting a recent icon, or clicking Camera and taking a picture that will be associated with the account. You can also set or create an Apple ID for the account. That allows the account to work with the iCloud identity associated with it. You can additionally choose to allow the user to administer the computer (which changes the account's status to Administrator until you disable this option and turn it back into a Standard account). And you can enable parental controls for that user (which, again, I'll discuss at length in a future column).

Configuring a Group account

Creating an Administrator's account works much the same way. The one account (other than Managed with Parental Controls) that requires a bit more explanation is the Group account. This is an account where you allow groups of certain users already registered on your Mac to have access to specific folders.

Let's say, for example, you've set up standard user accounts for your four nephews--Pipeye, Peepeye, Pupeye, and Poopeye. Pipeye and Peepeye are upstanding young men and can be trusted. Pupeye and Poopeye, however, are pipe-smoking rapscallions. Within the Users & Groups preference you, as Administrator, go through the usual motions to create a new account, but this time you choose Group from the New Account pop-up menu.

Name the group Nephews and then click Create Group. You'll now see the group name in the Name field and a Membership area below, which contains a list of all the user accounts on your Mac. In that list are Pipeye, Peepeye, Pupeye, and Poopeye's accounts. Check the box next to Pipeye and Peepeye's names to add them to your Nephews group.

Now that we've created the group, let's create a folder that just these honorable lads can access.

Within the Documents folder inside your user account, create a new folder and call it Good Boys. Select that folder and choose File > Get Info (or press Command-I). Click the triangle next to Sharing & Permissions in the resulting window, click the lock icon, and enter your administrator's username and password. Now click the plus (+) button at the bottom of the Info window and in the sheet that appears select your Nephews group and click Select. You've just granted Pipeye and Peepeye access to that folder.

Currently that access is Read Only, meaning that the boys can open any documents in that folder. If you wish to let them place things in that folder as well, click Read Only and select Read & Write from the menu that appears. They can now do pretty much what they like with the contents of that folder. Pupeye and Poopeye, however, can't touch it because they're not part of the group with those privileges.

Your account options

There are a couple of additional things you can do within the Users & Groups preference. Exactly what you can do depends on the kind of user you are.

If you're an Administrator or Standard user, you can configure your account's login items--applications and processes that start up whenever you log into your account.

Just select your account, click the Login Items tab, and you'll see any login items currently active for your account. To add another--say you want Mail to always launch when you log into your account--click the plus (+) button and in the sheet that appears, navigate to the Mail application, select it, and click the Add button. To remove a login item, select it and click the minus (--) button.

If you're an Administrator you can additionally configure the Mac's login options. To do that, click the lock icon at the bottom of the window, enter an administrator's username and password, and click Unlock.

You can now configure a number of options related to the login screen. They include:

Automatic login: From this pop-up menu, you can choose to have your Mac automatically log in to a specific account. When you select a user, you'll be prompted for that user's password. If your Mac is in a public space, this is not a good option to enable as anyone who fires up your Mac will automatically be logged into this account. In such a situation, be sure that this is set to Off.

Display Login Window As: You're presented with two options--List of Users, and Name and Password. If you choose the first option (which is on by default) the login screen will show icons and names for all the users configured for the Mac. Just click one, enter that user's password, and log in. If, instead, you choose Name and Password, you'll see only blank name and password fields, which you must correctly fill. This latter option is more secure in that you have to know both a viable username and password to log into an account.

Show the Sleep, Restart, and Shut Down Buttons: This too is on by default. If you don't wish to give users the power to perform these actions from the login screen, switch this option off.

Show Input Menu in Login Window: I covered the Mac's input source options in The Mac's Linguistic Tricks should you need a refresher on just what a multilingual marvel your Mac is. The point of this option is to allow others logging into the Mac to choose a different language setup. For example, if you live in a country where multiple languages are commonly spoken, one user may prefer to use the German language while another may wish to use French and yet another, Australian English. With this option enabled, those users will be able to choose their language before the Finder appears.

Show Password Hints: When you first set up an account you're prompted to enter a hint--something to remind you of what a password might be. If you enter an account's password incorrectly three times, the password hint will appear.

Show Fast User Switching Menus As: For some time Mac OS X has had a terrific feature called Fast User Switching. The idea is that multiple users can be logged into the computer at one time, but only one account can be active. Rather than having to log out of one account and fire up another, by using Fast User Switching you can simply select another account and switch to it (after entering that account's password). This setting controls whether Fast User Switching is on or off as well as lets you choose how its menu is configured.

Once the option is enabled, so too is Fast User Switching. You'll know that it is because, by default, the account's full name will appear in the right side of the menu bar. From the Fast User Switching pop-up menu you can choose to view that menu not as an account's full name but by the short name or the account's icon.

To engage Fast User Switching, just choose another account name from the menu. The Mac's interface will swivel around, and you'll be presented with a dialog box where you enter that account's password to log into it. The account you were working in will go dormant while you play around in the one you've switched to.

Use VoiceOver in the Login Window: VoiceOver is Apple's free screen reader that allows those with visual impairments to use the Mac. As users pass the Mac's cursor over items, the names of those items are spoken. If someone using the Mac needs this kind of assistance, switch this option on.

Final words

You now know the mechanics of the Users & Groups system preference. Here's a little additional advice: With an Administrator's account comes a fair heap of responsibility. With such an account it's possible to accidentally delete files that you (or worse, your Mac) needs. And with an Administrator's password in hand, someone who's not entirely sure of what they're doing can configure important system preferences in confounding ways. If you're not entirely comfortable with your Mac (and this shoe fits many people reading Mac 101), it's not a bad idea for you to create an additional account--a Standard account rather than an Administrator's account--and use it by default. Doing so helps ensure that you don't futz with things you shouldn't.

It's also worth your while to create a troubleshooting account--one that does have Administrator's privileges--and then leave it alone. We haven't gotten into troubleshooting yet, but one common technique is to have such an account and when things go blooey in your regular account, switch to the troubleshooting account to see if the same problems occur there. If they don't, you then know that there's something amiss in your regular account.